#41824 [Com]: move_uploaded_file open_basedir problem

[gkieffer at evolutive dot org]

 ID:               41824
 Comment by:       gkieffer at evolutive dot org
 Reported By:      mueller at intertrend dot de
 Status:           No Feedback
 Bug Type:         Safe Mode/open_basedir
 Operating System: SUSE LINUX 10.0
 PHP Version:      4.4.7
 New Comment:

Hi,

After some investigation, here's what I've found.

move_uploaded_file() makes use of the internal PHP function
php_copy_file() when source file and destination file are not on the
same filesystem (rename() works only on a single FS).

php_copy_file() changed from version 4.4.2 to 4.4.3:

# diff -u php-4.4.2/ext/standard/file.c php-4.4.3/ext/standard/file.c
[ ... discarded some stuff ...]
@@ -2196,7 +2201,7 @@
 safe_to_copy:

        srcstream = php_stream_open_wrapper(src, "rb",
-                               STREAM_DISABLE_OPEN_BASEDIR |
REPORT_ERRORS,
+                               ENFORCE_SAFE_MODE | REPORT_ERRORS,
                                NULL);

        if (!srcstream)



I guess the STREAM_DISABLE_OPEN_BASEDIR flag meant "bypass
open_basedir". And as that flag is gone...

Anyway, even with PHP 4.4.3 and above, if 'upload_tmp_dir' and the
destination of move_uploaded_file() are on the same FS, everything works
fine as as "rename()" is used (which is not affected by open_basedir
restrictions).

I "solved" the issue by moving my upload_tmp_dir to the same FS where
my websites are stored.

Bye,
G.


Previous Comments:
------------------------------------------------------------------------

[2007-10-08 09:45:00] gkieffer at evolutive dot org

Hi,

I have the same behavior (that contradicts the documentation): source
argument of move_uploaded_file() is checked against open_basedir.

As requested by '[EMAIL PROTECTED]', I've tried the latest PHP4 snapshot
(php4-STABLE-200710080830) and the open_basedir restriction is still
enforced on the source parameter of move_uploaded_file.

4.4.8-dev (snapshot): KO
4.4.7 : KO
4.4.6 : KO
4.4.5 : KO
4.4.3 : KO
4.4.2 : OK
4.4.1 : (I assume, I haven't tested it)
4.4.0 : OK

Here's some extra info about my environment:
Linux Debian Sarge
Apache 2.0.59 (compiled, not a Debian pkg)
PHP 4.4.x compiled as a module for Apache 2.0.59

upload_tmp_dir = /var/run/php-file-uploads

open_basedir = /wrk1/htdocssds/site.fqdn/

/var and /wrk1 are different (ext3) filesystems.

destination dir of move_uploaded_file() is
/wrk1/htdocssds/site.fqdn/backoffice/photo_gest/

If I add '/var/run/php-file-uploads/' to open_basedir everything works
fine but this is not the expected behavior.

Hope it helps !

Bye,
G.

------------------------------------------------------------------------

[2007-07-05 01:00:01] php-bugs at lists dot php dot net

No feedback was provided for this bug for over a week, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".

------------------------------------------------------------------------

[2007-06-27 15:49:08] [EMAIL PROTECTED]

Please try using this CVS snapshot:

  http://snaps.php.net/php4-STABLE-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php4-win32-STABLE-latest.zip



------------------------------------------------------------------------

[2007-06-27 14:16:47] mueller at intertrend dot de

Description:
------------
move_uploaded_file() does not work if open_basedir is set.

settings in php.ini:
file_uploads = On
upload_tmp_dir = /tmp

settings in httpd.conf:
php_admin_value open_basedir /www/com/servername

tmp-dir and destination-dir are on the same filesystem.

Reproduce code:
---------------
$uploaddir = '/www/com/servername';
$uploadfile = $uploaddir . basename($_FILES['userfile']['tmp_name']);

echo '<pre>';
if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile))
{
    echo "File is valid, and was successfully uploaded.\n";
} else {
    echo "Possible file upload attack!\n";
}

echo 'Here is some more debugging info:';
print_r($_FILES);

print "</pre>";


Expected result:
----------------
File is valid, and was successfully uploaded.

Actual result:
--------------
Warning:  move_uploaded_file() [function.move-uploaded-file]:
open_basedir restriction in effect. File(/tmp/php5bwW9n) is not within
the allowed path(s): (/www/com/servername) in
/www/com/servername/test.php on line 9



Warning:  move_uploaded_file(/tmp/php5bwW9n)
[function.move-uploaded-file]: failed to open stream: Operation not
permitted in /www/com/servername/test.php on line 9



Warning:  move_uploaded_file() [function.move-uploaded-file]: Unable to
move '/tmp/php5bwW9n' to '/www/com/servername/php5bwW9n' in
/www/com/servername/test.php on line 9

Possible file upload attack!
Here is some more debugging info:Array
(
    [userfile] => Array
        (
            [name] => Neu Textdokument (2).txt
            [type] => text/plain
            [tmp_name] => /tmp/php5bwW9n
            [error] => 0
            [size] => 1500
        )

)


------------------------------------------------------------------------


-- 
Edit this bug report at http://bugs.php.net/?id=41824&edit=1